https://feed.craftedsignal.io/products/exchange-online/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 18 May 2026 10:04:48 +0000https://feed.craftedsignal.io/briefs/2026-05-entra-device-code-phishing/Mon, 18 May 2026 10:04:48 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-entra-device-code-phishing/Detects successful Microsoft Entra ID sign-ins using the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources, indicative of adversary-in-the-middle (AiTM) phishing attacks such as Tycoon 2FA.This detection identifies a specific pattern associated with adversary-in-the-middle (AiTM) phishing campaigns targeting Microsoft Entra ID. It focuses on successful sign-ins utilizing the OAuth device code authentication protocol in conjunction with the Microsoft Authentication Broker client. A key characteristic is the request for first-party Office API resources, specifically Exchange Online, Microsoft Graph, or SharePoint. The activity is flagged as interactive. This tactic is linked to AiTM phishing kits like Tycoon 2FA, where unsuspecting victims are tricked into completing device code flows, ultimately granting attackers access tokens for mail and collaboration APIs. This allows unauthorized access to sensitive data and resources within the organization’s cloud environment. The blog post from Microsoft on February 13, 2025, highlights the Storm-2372 campaign which utilizes this technique.

Attack Chain

1. The attacker sends a phishing email or message to the victim containing a link or QR code.
2. The victim clicks on the link or scans the QR code, which redirects them to a fake Microsoft login page controlled by the attacker.
3. The fake login page prompts the victim to enter a device code.
4. The attacker initiates a legitimate OAuth device code flow using the Microsoft Authentication Broker client.
5. The victim enters the device code on the attacker-controlled page, unknowingly authorizing the attacker’s application.
6. The attacker’s application requests access to first-party Office API resources, such as Exchange Online (resource ID 00000002-0000-0ff1-ce00-000000000000), Microsoft Graph (00000003-0000-0ff1-ce00-000000000000), or SharePoint (00000005-0000-0ff1-ce00-000000000000).
7. The Microsoft Authentication Broker authenticates the request as interactive.
8. The attacker gains access to the victim’s mail and collaboration APIs via the obtained access tokens, enabling data exfiltration and other malicious activities.

Impact

Successful exploitation leads to unauthorized access to the victim’s Microsoft Entra ID account and associated resources, including email, files, and other sensitive data. This can result in data theft, financial loss, and reputational damage to the organization. The Tycoon 2FA kit, as referenced, facilitates this type of attack, bypassing traditional multi-factor authentication methods. The scale of impact depends on the scope of access granted to the compromised account.

Recommendation

• Deploy the Sigma rule “Entra ID OAuth Device Code Phishing via AiTM” to your SIEM to detect suspicious device code authentication flows.
• Investigate any alerts triggered by the Sigma rule, focusing on azure.signinlogs.properties.user_principal_name, azure.signinlogs.properties.session_id, source.ip, and azure.signinlogs.properties.resource_display_name.
• Implement conditional access policies to restrict device code flows to trusted networks and devices, mitigating the risk of AiTM attacks (reference: Microsoft documentation on conditional access).
• Revoke refresh tokens for any compromised users and reset their credentials per policy, as mentioned in the investigation steps.

]]>highthreatcloudidentityazureentra_idphishinghttps://feed.craftedsignal.io/briefs/2026-05-tycoon-aitm-o365/Mon, 18 May 2026 09:26:46 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-tycoon-aitm-o365/This rule detects Microsoft 365 audit events indicative of Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity, identifying UserLoggedIn events where the Microsoft Authentication Broker requests access to Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents, bypassing MFA by relaying authentication and capturing session material.This detection focuses on identifying adversary-in-the-middle (AiTM) phishing activity targeting Microsoft 365 environments, specifically related to the Tycoon 2FA phishing-as-a-service platform. The attack leverages AiTM techniques to bypass multi-factor authentication (MFA) by relaying authentication requests and capturing session cookies. The detection is based on the observation of specific Microsoft 365 audit events, namely “UserLoggedIn”, combined with anomalous user agent strings indicative of Node.js-based tooling (node, axios, undici). The activity involves the Microsoft Authentication Broker requesting access to Microsoft Graph or Exchange Online, or the Office web client authenticating to itself, which are patterns associated with Tycoon 2FA. Defenders should baseline legitimate automation and developer tooling environments to avoid false positives.

Attack Chain

1. The attacker initiates a phishing campaign targeting Microsoft 365 users to steal credentials and bypass MFA.
2. The victim receives a phishing email or message containing a link to a malicious proxy site that spoofs a legitimate Microsoft 365 login page.
3. The victim clicks on the link and enters their credentials into the fake login page.
4. The attacker’s proxy site relays the credentials to the real Microsoft 365 login page.
5. The real Microsoft 365 login page sends an MFA request to the victim.
6. The attacker’s proxy site relays the MFA request to the victim and captures the MFA code.
7. The attacker’s proxy site relays the MFA code to the real Microsoft 365 login page, completing the authentication process.
8. The attacker captures the session cookie, allowing them to access the victim’s Microsoft 365 account without needing the credentials or MFA code again.

Impact

Successful exploitation allows attackers to gain unauthorized access to Microsoft 365 accounts, potentially leading to data exfiltration, financial fraud, or further lateral movement within the organization. The use of Tycoon 2FA underscores the increasing sophistication of phishing attacks, making it more difficult for users to detect and avoid. Without proper detection and response mechanisms, organizations are vulnerable to significant compromise.

Recommendation

• Deploy the Sigma rule “M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)” to your SIEM and tune for your environment to detect suspicious login patterns.
• Review o365.audit.UserId, user_agent.original, source.ip or o365.audit.ActorIpAddress, and related Entra ID sign-in logs (azure.signinlogs) for the same session or time window as described in the rule’s “Triage and Analysis” section.
• Revoke refresh tokens for compromised users, reset credentials per policy, and review conditional access outcomes if malicious activity is confirmed, as outlined in the rule’s “Response and Remediation” section.
• Block or monitor the source IPs identified in the logs and escalate per incident procedures, as suggested in the rule’s “Response and Remediation” section.

]]>highadvisorycloudidentitysaasmicrosoft365aitmtycoon2faphishinghttps://feed.craftedsignal.io/briefs/2026-05-tycoon2fa-entra-id/Mon, 18 May 2026 09:26:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-tycoon2fa-entra-id/Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity targeting Microsoft 365 and Gmail, where the Microsoft Authentication Broker requests tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents (node, axios, undici).This rule detects Microsoft Entra ID sign-ins indicative of Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) attacks. Tycoon2FA is designed to bypass multi-factor authentication (MFA) by relaying authentication requests and capturing session cookies, primarily targeting Microsoft 365 and Gmail accounts. The activity is characterized by the Microsoft Authentication Broker (app ID 29d9ed98-a469-4536-ade2-f981bc1d605e) requesting tokens for Microsoft Graph (00000003-0000-0000-c000-000000000000) or Exchange Online (00000002-0000-0ff1-ce00-000000000000), or the Office web client application (app ID 4765445b-32c6-49b0-83e6-1d93765276ca) authenticating to itself, in conjunction with Node.js-style user agents (node, axios, undici). Defenders should baseline legitimate automation and developer tooling using these patterns to minimize false positives.

Attack Chain

1. The victim receives a phishing email or message designed to mimic a legitimate Microsoft 365 login page.
2. The victim clicks the link and is redirected to a Tycoon2FA-controlled server acting as a proxy.
3. The victim enters their credentials, which are captured by the Tycoon2FA proxy.
4. The Tycoon2FA proxy initiates a legitimate sign-in attempt to Microsoft Entra ID using the stolen credentials and relays the MFA request to the victim.
5. The victim completes MFA, and the Tycoon2FA proxy captures the session cookie.
6. The attacker uses the stolen session cookie to bypass MFA and gain access to the victim’s Microsoft 365 account, impersonating the user.
7. The attacker leverages this access to perform actions such as reading emails, accessing files, or initiating further attacks.

Impact

Successful exploitation leads to account compromise and unauthorized access to sensitive data within Microsoft 365 and Gmail environments. This can result in data breaches, financial loss, and reputational damage. Tycoon2FA is a phishing-as-a-service (PhaaS) platform, enabling even less sophisticated attackers to successfully bypass MFA, potentially affecting a large number of users.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential AiTM attacks targeting Microsoft Entra ID.
• Monitor Microsoft Entra ID sign-in logs for the specific application IDs (29d9ed98-a469-4536-ade2-f981bc1d605e, 4765445b-32c6-49b0-83e6-1d93765276ca) and resource IDs (00000002-0000-0ff1-ce00-000000000000, 00000003-0000-0000-c000-000000000000) associated with Tycoon2FA, as described in the overview.
• Investigate sign-ins originating from unusual user agents, especially those containing “node”, “axios”, or “undici” when used in conjunction with the Microsoft Authentication Broker or Office web client application.
• Review conditional access policies and MFA configurations to ensure they are effectively preventing AiTM attacks.
• Educate users about phishing techniques and the importance of verifying login pages and MFA requests.

]]>mediumadvisorytycoon2faaitmentra_idphishingcredential_access